Professional Concepts Insurance

View Original

Safely Sharing and Disseminating Sensitive Data Within Your Company

The following material is provided for informational purposes only. Before taking any action that could have legal or other important consequences, speak with qualified legal and insurance professionals who can provide guidance that considers your own unique circumstances.

Every company has sensitive data that they need to protect. Sharing sensitive data among company employees in some form is standard practice. At the very least, it must be accessible to individual employees within the firm. Otherwise, there would be no reason for the company to have this data in the first place.

Making this data accessible creates significant security risks. IBM estimates that the average cost of a data breach is $3.92 million, proving that the effective management of data security risks is crucial for today’s businesses.[1] While the risk itself is inevitable, managing the appropriate procedures is critical. These best practices can help your company avoid a security breach, as well as the costly consequences that come along with it.

This article will provide many tips to help you share and disseminate sensitive data within your company with the utmost discretion and safety. Read on to learn how to effectively and safely deal with sensitive data in your company.

Categorizing Sensitive Data

One of the most important things you can do to secure your firm’s sensitive data is categorizing it. Most companies that categorize their sensitive data create categories according to how sensitive the data is. For example, companies often consider any data that includes personal information is considered sensitive data.

If data, categorized as sensitive data from the start, encrypt such data whenever disseminated to company employees. The data is recommended for encryption, too, when stored.

Categorizing is more complicated than it sounds because non-experts within your firm need to understand how to categorize data. You can make this easier for employees who are categorizing sensitive data through proper training and ongoing education.

Utilizing Cloud Storage

These days, many companies prefer to store data in the cloud, partially because this makes it easy to spread information among multiple employees. However, storing sensitive data in the cloud is quite risky. It is so risky that your firm may want to consider simply not storing or disseminating your most sensitive data in this manner. If you decide to use the cloud for storing such data, you need to make sure that you encrypt the data before uploading it.

It is also important that your cloud storage provider allows you to store encrypted data without providing them with the key to the encryption. Your firm should carefully inspect the terms of service for your cloud storage provider before storing sensitive data with them.

Carefully Controlling Employee Access

While many publicized data breaches come from external threats, threats can occur internally too.  It is essential to control which employees see what data. The best way to do this is to create policies beforehand, specifying which employees can access the most sensitive data and stick to them.

Unfortunately, many firms take a sort of ad hoc approach to this issue. These firms try to figure it out as they go. Without explicit written guidelines, an ad hoc approach can lead to employees having access to sensitive data they do not need. In the end, such an approach may result in a security breach from an internal threat.

Properly Training Employees

One of the most important things that you can do to safeguard data security within your firm is to train your employees. Every employee in your firm should receive at least basic data security training. Basic data security applies to everyone from the receptionist up to the CEO.

The receptionist will not need the same level of data security training as the CEO. However, data breaches often originate from low-level employees who have greater access to sensitive data than others initially thought.

It is best to train and educate new employees in data security immediately and stress the importance of keeping data secure at all times. If your firm waits to train everyone at once, new employees may go months before getting their data security training even though they have access to secure data.

It is also a good idea to have a compliance officer who is an expert in PCI or HIPAA, depending on what sort of work your firm does. This person can be responsible for the training and for enforcing data security compliance protocols throughout the organization.

Constantly Upgrading Your Firm’s Technology

Too many firms invest in the best hardware and software possible for data security and then forget about it for years. Security technology becomes obsolete relatively quickly – which is valid for both hardware and software.

It is essential to have your IT department regularly perform audits of the hardware and software you use for data security purposes. It is also crucial that your IT people stay up to date on industry news so they can hear about possible exploits in the software and hardware your firm uses.

Very secure programs can become security risks overnight if hackers find an exploit. If this is the case, your firm will need to safeguard the data being disseminated among employees immediately.

Unfortunately, many firms, especially large firms, are slow to react to even significant exploits. The “Bash” bug, for instance, endangered nearly every piece of internet-connected hardware running Linux in 2014 when publicized.[2] Some businesses took months to update their servers after the bug was revealed. This delay gave nefarious hackers ample time to study proprietary data systems and copy off sensitive data quietly.

Monitoring IT Systems Constantly

Many firms have a false sense of confidence that they know what is going on within their IT systems. Even highly trained and experienced IT professionals can be lulled into this sense of false confidence by long periods without security threats. However, it is common for firms only to discover breaches months after they’ve occurred. Evidence shows that even the best IT professionals cannot afford to sit back and let things happen within their IT systems without monitoring them.

One of the fundamental ways IT professionals within your firm can monitor what is going on within their systems is by documenting each change they make. If your firm has a security issue when disseminating sensitive data, this documentation will make it easier to figure out precisely the security issue. It is also essential to log all users when they share, access, or download the most sensitive data.

Users cannot be trusted to do this manually, unfortunately. Your firm’s IT professionals must have a system in place that painstakingly logs the interactions users have with your firm’s sensitive data.

Securing Hardware That Stores Sensitive Data

Many serious data breaches have come about in recent years because employees took devices containing sensitive data out of the workplace and lost them or had them stolen. You may have sensitive data secured very thoroughly on every device used by employees. However, if hackers get their hands on a piece of hardware with sensitive data on it, they can break through your security protocols and steal data. Suppose they physically have a piece of hardware with sensitive data on it. In that case, they will have much more time to break into the device than they would if they were hacking your system remotely because your security software would quickly notice their intrusion in this circumstance.

All a hacker has to do is disable the device’s internet connection, then the device cannot receive any orders to shut down or wipe its data. Companies need to go to great lengths to secure laptops, tablets, and smartphones containing sensitive data.  Your company may require devices with highly sensitive data remain within the company’s workspace. Otherwise, your firm could implement strict security protocols that require each employee to sign out any device that has secure data on it and to account for the device at all times.

Setting Up the Appropriate Security Protocols

Now that you have learned more about safely disseminating sensitive data within your company, it is time to set up the appropriate security protocols. The knowledge you have gained must be put into practice to protect your firm’s data and client data.

Many businesses have IT departments that can implement some of the security protocols mentioned in this article. However, it may be a good idea to bring in expert computer security consultants. While such consultants do not come cheap, they can provide recommendations that will help your company avoid data breaches for years to come. Although your firm’s IT department is undoubtedly vital, having a second set of eyes looking at your security protocols from a more objective perspective will be valuable.

 

Can We Be of Assistance?

We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures.

Please call on us for assistance.

We’re a member of the Professional Liability Agents Network (PLAN).

WE’RE HERE TO HELP!

Contact us at 800-969-4041 or click here to request a confidential evaluation of your insurance policies and risk management needs.

References:

[1]https://www.ibm.com/security/data-breach

[2]https://tbgsecurity.com/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/